menu

Security Labs

Forcepoint Security Labs™ brings together researchers, engineers and thought leaders from around the world to discover, investigate, report and – ultimately – protect our customers from sophisticated, evasive and evolving Web- and email-based threats.

Find out more about the work we do through our blogs, annual reports, conference presentations and podcasts.

When it comes to cross-platform backdoors, Adwind is arguably the most popular and documented remote access tool (RAT) out there. However in the last two years, an underground group calling themselves ‘QUA R&D’ have been busy developing and improving a similar Malware-as-a-Service (MaaS) platform to the point that they have now become a major competitor to Adwind. In fact, QUA R&D's RAT – sold under the name ‘Qrypter’ – is often mistaken by the security community as Adwind.

Overview

Qrypter is a Java-based RAT that uses TOR-based command and control (C2) servers. It was first made available in March 2016...

Forcepoint recently published a whitepaper related to how DanderSpritz/PeddleCheap communicates with malicious implants. This is a follow-up blog post related to evasions used in DoublePulsar and DanderSpritz.

There are some very interesting network-level evasions used related to DoublePulsar and DanderSpritz. We were not able to find a complete resource with focus on these evasion techniques. So as a spin-off from the DanderSpritz/PeddleCheap research, we decided to assemble information from different resources into a blog post about these evasions.

Most of the following material is reiteration of work done by other...

Over the weekend reports were made of a cryptocurrency mining script injected into government owned and run websites across the US, UK and Australia.

The affected websites had a common theme – a script included in all that made a request to a JavaScript file hosted on BrowseAloud<dot>com. This script, ba.js, was seemingly modified by a malicious actor to include obfuscated code that made an additional request to a cryptocurrency mining tool CoinHive. End-users who visited one of the affected websites Sunday on February 11, 2018, would have had a crypto-currency miner (CoinHive, known to mine Monero coins) run in the...

In the current era of mass malware it's becoming increasingly rare to find something beyond the ‘usual suspects’ we see being spread by high-profile botnets on a regular basis: Dridex spread by Necurs, the ever-increasing number of ransomware families, cryptocurrency miners, credential stealers… the list goes on. These sorts of malware generally make up the majority of incoming malicious samples and are, from a researcher's standpoint, typically not very interesting.

However, in amongst the digital haystack there exists the occasional needle: we recently came across a sample apparently disguised as a LogMeIn service pack which...

In April 2017, a hacker group named The Shadow Brokers released some very advanced cyber weapons. The leaked tools allegedly originate from the hacking arsenal of a powerful intelligence agency.

One of the tools in the leak is a post-exploitation framework called DanderSpritz, which is used for communicating with compromised computers. Forcepoint™ has analyzed the PeddleCheap module of this DanderSpritz framework. The research focuses on network-level communications. To our knowledge, no similar research has previously been published.

Forcepoint Security Labs have recently observed a peculiar email campaign distributing a variant of the Dridex banking trojan. The campaign used compromised FTP sites instead of the more usual HTTP link as download locations for malicious documents, exposing the credentials of the compromised FTP sites in the process.

The malicious emails were distributed just before 12:00 UTC on 17 January 2018 and remained active for approximately seven hours. The emails were sent primarily to .COM top level domains (TLDs) with the second, third and fourth top affected TLDs suggesting that major regional targets were France, the UK, and...

It has been just over a week since the Spectre and Meltdown vulnerabilities were released, shaking everyone out of their post-holiday daze. Our previous blog post on the topic discussed the viability of these attacks in the real world – what have we learned since then?

Note: Forcepoint customers should refer to the Knowledge Base article at https://support.forcepoint.com/KBArticle?id=000014933 for Spectre/Meltdown mitigation and patching advice for all Forcepoint products. New information is posted to the KB article as it becomes available.

For the latest Security Labs research, see Spectre & Meltdown -- A Week (and a bit) On

For the latest information on how this issue affects Forcepoint security products, please see the technical bulletin: Meltdown and Spectre Vulnerability

Update

2018 has gotten off to a tough start with the news of the Meltdown and Spectre (CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754) vulnerabilities. This is a broad industry problem that affects almost everyone, everywhere. Processors from Intel, AMD, and ARM are all potentially vulnerable to at least one variant of Spectre or...

We normally try to protect the things most valuable to us, hence the proliferation of different locks and keys for our cars, houses, etc. These keys in the material world are analogous to our passwords in the digital one. However even an average user likely has more passwords for the devices and services they use than keys for any other group of assets.

We recently wrote about the Quant malware coming with pre-packaged password stealing capabilities. We all understand that physical security is important, choose our locks carefully and consciously keep our keys where we believe they will be safe from being stolen, but do we...

Forcepoint Security Labs researchers have just returned from a successful Black Hat Europe 2017 hosted in London, UK. We had an enjoyable time presenting, networking and expanding our own knowledge.
Thank you to all those who attended our Briefings Talk on Wednesday and who met us on our booth in the Business Hall.